Skip to main content
Collectiv. Studio

Last updated: April 2026

Privacy policy

This policy explains how Collectiv. Studio ("we", "us") collects and uses personal information when you use collectivstudio.uk and our client portal. We process data in the United Kingdom in line with the UK GDPR and the Data Protection Act 2018.

Who we are

Business name: Collectiv. Studio
Trading name: Collectiv. Studio
Location: Bristol, UK
Website: collectivstudio.uk
Contact: isabella@collectivstudio.uk
Data controller: Isabella Pearce

For data protection questions, contact us at isabella@collectivstudio.uk.

What data we collect

  • Contact forms: name, email address, phone number (if you provide it), company or business name (if you provide it), and the content of your message.
  • Client portal: account details including name, email address, and a secure password hash (we never store your password in plain text).
  • Project work: files and content you upload for your project (for example brand assets, copy, images, and other documents).
  • Payments: we do not store card details on our systems. Payments are handled manually today; we may use Stripe or similar in future and will update this policy if that changes.
  • Technical data: IP addresses when you submit website contact forms, used for spam prevention and rate limiting. See our Cookies policy for information on cookies and similar technologies.

How we use your data

  • To respond to enquiries sent through our website.
  • To provide and manage the client portal and deliver our services under contract.
  • To send project-related notifications and updates (for example comments, approvals, or file activity).
  • To send service emails that relate to your work with us (for example contracts, quotes, deposit confirmations, and similar operational messages).

We do not sell your personal data. We do not use your data for general marketing communications unless you have clearly agreed (for example by signing up to a specific mailing list).

Legal basis for processing (UK GDPR Article 6)

  • Contract — where processing is needed to deliver services to clients, run the portal, and send emails that are part of that relationship.
  • Legitimate interests — for example spam prevention, security, improving our services, and responding to enquiries where this is balanced against your rights.
  • Consent — where we rely on consent (for example optional marketing), you can withdraw it at any time by contacting us.

How long we keep data

  • Website enquiries: up to 2 years from submission, unless we need to keep them longer for an ongoing discussion or legal reason.
  • Client accounts and project context: for the length of the contract plus 2 years, unless a longer period is required by law or dispute.
  • Project files: for the length of the contract plus 1 year, unless we agree otherwise or law requires longer retention.
  • Financial records: up to 7 years where required for UK tax and accounting (HMRC).

After these periods we delete or anonymise data where we no longer have a lawful reason to keep it.

Who we share data with (processors)

We use carefully chosen providers to run our website and portal. They process data only on our instructions.

  • Vercel — website and application hosting. Data may be processed in the EU and the US with appropriate safeguards.
  • Supabase — database hosting. Servers are in the EU.
  • UploadThing — file storage for uploads (for example portal assets). Data may be processed in the US under standard contractual clauses or equivalent mechanisms.
  • Resend — transactional email. Data may be processed in the US under standard contractual clauses or equivalent mechanisms.
  • GitHub — source code repository. We do not store client personal data or project content in the repository as part of normal operation.

We do not allow these providers to use your data for their own marketing. Their privacy notices describe their processing in more detail.

International transfers

Some providers above may process data outside the UK. Where that happens, we rely on appropriate safeguards recognised under UK law (such as the UK extension to the EU-US Data Privacy Framework where applicable, standard contractual clauses, or other approved mechanisms).

Your rights

Under UK GDPR you have the right to:

  • Access — ask what personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data in certain circumstances.
  • Restriction — ask us to limit processing in certain circumstances.
  • Data portability — receive some data in a structured, machine-readable format where applicable.
  • Object — object to processing based on legitimate interests, including profiling in some cases.

To exercise any of these rights, email isabella@collectivstudio.uk. We will respond within one month in most cases (we may extend in complex cases as the law allows).

You also have the right to complain to the Information Commissioner's Office (ICO) — the UK supervisory authority for data protection (ico.org.uk).

Security

We use technical and organisational measures appropriate to the nature of the data we hold, including secure hosting, access controls, and encrypted connections. No method of transmission over the internet is completely secure; we work to reduce risk in line with industry practice.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will change when we do. For significant changes we will take reasonable steps to inform you where appropriate.

Questions? isabella@collectivstudio.uk